Luxury department store giant Neiman Marcus said that cyber thieves quietly lifted as many as 1.1 million customers’ cards during a four-month period last year.

In an apologetic letter to customers on the company’s website, Neiman’s president and CEO Karen Katz said the thieves “clandestinely installed” malware, or malicious software, on its payments system to scrape customers’ payment data.

The software captured information on 1.1 million customers’ cards between July 16 and Oct. 30, 2013.

“We deeply regret and are very sorry that some of our customers’ payment cards were used fraudulently after making purchases at our stores,” Katz said in the letter, which offered customers one free year of credit monitoring and identity-theft protection.

Approximately 2,400 “unique customer payment cards” used at the retailers’ stores have since been fraudulently used, Katz said.

Neiman’s announcement comes on the heels of an even bigger security breach at retail chain Target, which said 40 million cards were compromised last holiday shopping season, thanks to cyber crooks. They also nabbed personal data, such as e-mail addresses, of 70 million Target customers.

The cyber heists have led to federal investigations by the Treasury’ Department’s Secret Service and the Department of Homeland Security.

Still, experts say they expect many more such heists to invade US retailers because the malware is so cheap to purchase in underground markets.

“There’s reason to believe a significantly larger number of retailers have been affected by this,” said Tiffany Jones, an executive with iSights Partners, a Dallas security firm that is working with federal agents on tracking the culprits of the Target breach.

Acting as a “bad actor,” Andrew Komarov, chief executive officer of security firm IntelCrawler, was offered a chance to buy the malware last year for a mere $500 if he would agree to split the profits with the seller, he said.